Continuous Group Membership Change Recertifications
- Phillip Hanegan
In today's digital age, the growing number of apps and systems can make managing group memberships complex. This is especially challenging for security groups, which provide administrative access to IT systems and resources. For these groups, maintaining transparency in terms of who has access and who grants this access is vital for all security stakeholders.
To address this challenge, EmpowerID offers an advanced solution. Its sophisticated reporting and dashboard features provide comprehensive visibility into group management. These tools allow organizations to easily track the number of groups within each system, identify the members of each group, and understand the level of access granted to each member.
However, while this information is readily available and auditable, it can occasionally be overlooked. To help organizations stay on top of their group management, EmpowerID provides a feature known as "Continuous Group Membership Recertification."
In EmpowerID, if SetGroup is not specified, and recertification is enabled for the account store, Recertification tasks are automatically generated for all security groups in that account store.
Â
When enabled for a connected system, this feature generates recertification tasks for members of a specified security group whose membership has not been certified within a certain timeframe. These tasks are then sent to the relevant stakeholders for review and can be approved or rejected based on the organization's requirements.
If recertification is rejected, EmpowerID promptly removes the rejected account from the group. On the other hand, if the recertification is approved, EmpowerID records the approval date and schedules the next recertification accordingly.
By providing these features, EmpowerID ensures that your group memberships are always accurately managed and up-to-date, enhancing your organization's overall security and efficiency.
Â
Â
Components of Continuous Group Membership Recertification
The Continuous Group Membership Recertification feature of EmpowerID includes the components shown in the below table.
Component | Description |
|---|---|
Account Store | When you connect EmpowerID to an external system or application, EmpowerID creates an account store for that system. Account stores have properties and settings that allow you to specify how you want EmpowerID to manage the user and group information in that system. For Continuous Group Membership Reconciliation, the relevant settings include:
|
Permanent Workflow – Continuous Group Membership Recertification | A permanent workflow is a workflow that when enabled runs once every X minutes to process X amount of objects targeted by the workflow. The default settings for the Continuous Group Membership permanent workflow is to process 1000 group memberships every 10 minutes. These settings can be edited as needed. |
Request Workflow – Continuous Recertification | In the EmpowerID model, users never directly interact with a workflow; rather, they interact with what is known as a request workflow. A request workflow is one of the resource types registered in the EmpowerID Identity Warehouse that is related to resource acquisition and management. A specific request workflow is an Identity Warehouse resource record corresponding to an EmpowerID workflow that is used to control who may interact with the workflow. Request workflows often have configurable workflow parameters that pass input data to the workflow to process as it executes its code. In the case of the Continuous Certification workflow, these parameters include the following:
|
Â